<div dir="ltr">Hi Andrii,<div><br></div><div><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">I have setup libreswan IPSec VPN tunnel using route based VPN through VTI interface. Please find the below configurations.</span><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration-style:initial;text-decoration-color:initial"><br></div><blockquote class="gmail_quote" style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration-style:initial;text-decoration-color:initial;margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><b>IPSec VPN Tunnel Server 1 ( IP :- <span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">172.31.1.54)</span></b><b><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline"><br></span></b>[root@ip-172-31-1-54 log]# cat /etc/ipsec.d/<a href="http://vtiipsecrouted.co">vtiipsecrouted.co</a><wbr>nf<br>conn routed-vpn<br> left=172.31.1.54<br> right=172.31.15.8<br> authby=secret<br> #leftsubnet=<a href="http://0.0.0.0/0" target="_blank" style="color:rgb(17,85,204)">0.0.0.0/0</a><br> #rightsubnet=<a href="http://0.0.0.0/0" target="_blank" style="color:rgb(17,85,204)">0.0.0.0/0</a><br> auto=add<br> # route-based VPN requires marking and an interface<br> mark=5/0xffffffff<br> vti-interface=vti01<br> # do not setup routing because we don't want to send<span> </span><a href="http://0.0.0.0/0" target="_blank" style="color:rgb(17,85,204)">0.0.0.0/0</a><span> </span>over the tunnel<br> vti-routing=no<br> # If you run a subnet with BGP (bird) daemon over IPsec, you can configure the VTI interface<br> leftvti=<a href="http://10.0.1.1/24" target="_blank" style="color:rgb(17,85,204)">10.0.1.1/24</a><br>[root@ip-172-31-1-54 log]# ip a<br>1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1<br> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00<br> inet<span> </span><a href="http://127.0.0.1/8" target="_blank" style="color:rgb(17,85,204)">127.0.0.1/8</a><span> </span>scope host lo<br> valid_lft forever preferred_lft forever<br>2: eth0: <BROADCAST,MULTICAST,UP,LOWER_<wbr>UP> mtu 9001 qdisc mq state UP qlen 1000<br> link/ether 02:2f:90:d6:66:6a brd ff:ff:ff:ff:ff:ff<br> inet<span> </span><a href="http://172.31.1.54/20" target="_blank" style="color:rgb(17,85,204)">172.31.1.54/20</a><span> </span>brd 172.31.15.255 scope global dynamic eth0<br> valid_lft 2763sec preferred_lft 2763sec<br>3: ip_vti0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN qlen 1<br> link/ipip 0.0.0.0 brd 0.0.0.0<br>10: vti01@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP<wbr>> mtu 8981 qdisc noqueue state UNKNOWN qlen 1<br> <span> </span><b>link/ipip 172.31.1.54 peer 172.31.15.8<br></b> <span> </span><b>inet<span> </span><a href="http://10.0.1.1/24" target="_blank" style="color:rgb(17,85,204)">10.0.1.1/24</a></b><span> </span>scope global vti01<br> valid_lft forever preferred_lft forever<br>[root@ip-172-31-1-54 log]#ps aux | grep ipsec<br>root 7903 0.0 0.0 204880 7692 ? Ssl 07:10 0:00 /usr/libexec/ipsec/pluto --leak-detective --config /etc/ipsec.conf --nofork<br><br>[root@ip-172-31-1-54 log]# ip xfrm policy<br>src<span> </span><a href="http://172.31.1.54/32" target="_blank" style="color:rgb(17,85,204)">172.31.1.54/32</a><span> </span>dst<span> </span><a href="http://172.31.15.8/32" target="_blank" style="color:rgb(17,85,204)">172.31.<wbr>15.8/32</a><br><span style="white-space:pre-wrap"> </span>dir out priority 2080 ptype main<br><span style="white-space:pre-wrap"> </span>mark 5/0xffffffff<br><span style="white-space:pre-wrap"> </span>tmpl src 172.31.1.54 dst 172.31.15.8<br><span style="white-space:pre-wrap"> </span>proto esp reqid 16393 mode tunnel<br>src<span> </span><a href="http://172.31.15.8/32" target="_blank" style="color:rgb(17,85,204)">172.31.15.8/32</a><span> </span>dst<span> </span><a href="http://172.31.1.54/32" target="_blank" style="color:rgb(17,85,204)">172.31.<wbr>1.54/32</a><br><span style="white-space:pre-wrap"> </span>dir fwd priority 2080 ptype main<br><span style="white-space:pre-wrap"> </span>mark 5/0xffffffff<br><span style="white-space:pre-wrap"> </span>tmpl src 172.31.15.8 dst 172.31.1.54<br><span style="white-space:pre-wrap"> </span>proto esp reqid 16393 mode tunnel<br>src<span> </span><a href="http://172.31.15.8/32" target="_blank" style="color:rgb(17,85,204)">172.31.15.8/32</a><span> </span>dst<span> </span><a href="http://172.31.1.54/32" target="_blank" style="color:rgb(17,85,204)">172.31.<wbr>1.54/32</a><br><span style="white-space:pre-wrap"> </span>dir in priority 2080 ptype main<br><span style="white-space:pre-wrap"> </span>mark 5/0xffffffff<br><span style="white-space:pre-wrap"> </span>tmpl src 172.31.15.8 dst 172.31.1.54<br><span style="white-space:pre-wrap"> </span>proto esp reqid 16393 mode tunnel<br>[root@ip-172-31-1-54 log]#<br>[root@ip-172-31-1-54 log]# ip route list<br>default via 172.31.0.1 dev eth0<br><a href="http://10.0.1.0/24" target="_blank" style="color:rgb(17,85,204)">10.0.1.0/24</a><span> </span>dev vti01 proto kernel scope link src 10.0.1.1<br><a href="http://172.31.0.0/20" target="_blank" style="color:rgb(17,85,204)">172.31.0.0/20</a><span> </span>dev eth0 proto kernel scope link src 172.31.1.54<br>[root@ip-172-31-1-54 log]#<br>[root@ip-172-31-1-54 log]# service bird status<br>Redirecting to /bin/systemctl status bird.service<br>● bird.service - BIRD Internet Routing Daemon<br> Loaded: loaded (/usr/lib/systemd/system/bird.<wbr>service; enabled; vendor preset: disabled)<br> Active: active (running) since Thu 2018-04-12 07:11:00 UTC; 40min ago<br> Process: 7963 ExecStart=/usr/sbin/bird (code=exited, status=0/SUCCESS)<br> Main PID: 7964 (bird)<br> CGroup: /system.slice/bird.service<br> └─7964 /usr/sbin/bird<br>Apr 12 07:11:00 ip-172-31-1-54.ap-southeast-1.<wbr>compute.internal systemd[1]: Starting BIRD Internet Routing Daemon...<br>Apr 12 07:11:00 ip-172-31-1-54.ap-southeast-1.<wbr>compute.internal bird[7964]: Started<br>Apr 12 07:11:00 ip-172-31-1-54.ap-southeast-1.<wbr>compute.internal systemd[1]: Started BIRD Internet Routing Daemon.<br>Apr 12 07:34:16 ip-172-31-1-54.ap-southeast-1.<wbr>compute.internal bird[7964]: KIF: Received address message for unknown interface 10<br>[root@ip-172-31-1-54 log]#<br>[root@ip-172-31-1-54 log]# birdc<br>BIRD 1.6.4 ready.<br>bird> show status<br>BIRD 1.6.4<br>Router ID is 10.0.1.1<br>Current server time is 2018-04-12 07:28:42<br>Last reboot on 2018-04-12 07:10:59<br>Last reconfiguration on 2018-04-12 07:10:59<br>Daemon is up and running<br>bird> show interfaces<br>lo up (index=1)<br><span style="white-space:pre-wrap"> </span>MultiAccess AdminUp LinkUp Loopback Ignored MTU=65536<br><span style="white-space:pre-wrap"> </span><a href="http://127.0.0.1/8" target="_blank" style="color:rgb(17,85,204)">127.0.0.1/8</a><span> </span>(Primary, scope host)<br>eth0 up (index=2)<br><span style="white-space:pre-wrap"> </span>MultiAccess Broadcast Multicast AdminUp LinkUp MTU=9001<br><span style="white-space:pre-wrap"> </span><a href="http://172.31.1.54/20" target="_blank" style="color:rgb(17,85,204)">172.31.1.54/20</a><span> </span>(Primary, scope site)<br>ip_vti0 DOWN (index=3)<br><span style="white-space:pre-wrap"> </span>MultiAccess AdminDown LinkDown MTU=1480<br>vti01 up (index=10)<br><span style="white-space:pre-wrap"> </span>PtP Multicast AdminUp LinkUp MTU=8981<br><span style="white-space:pre-wrap"> </span><a href="http://10.0.1.1/24" target="_blank" style="color:rgb(17,85,204)">10.0.1.1/24</a><span> </span>(Primary, scope site)<br>bird> show protocols<br>name proto table state since info<br>kernel1 Kernel master up 07:11:00<br>device1 Device master up 07:11:00<br>testbgp BGP master start 07:11:00 Idle<br>bird> show protocols all<br>name proto table state since info<br>kernel1 Kernel master up 07:10:59<br> Preference: 10<br> Input filter: ACCEPT<br> Output filter: ACCEPT<br> Routes: 1 imported, 0 exported, 1 preferred<br> Route change stats: received rejected filtered ignored accepted<br> Import updates: 1 0 0 0 1<br> Import withdraws: 0 0 --- 0 0<br> Export updates: 1 1 0 --- 0<br> Export withdraws: 0 --- --- --- 0<br>device1 Device master up 07:10:59<br> Preference: 240<br> Input filter: ACCEPT<br> Output filter: REJECT<br> Routes: 0 imported, 0 exported, 0 preferred<br> Route change stats: received rejected filtered ignored accepted<br> Import updates: 0 0 0 0 0<br> Import withdraws: 0 0 --- 0 0<br> Export updates: 0 0 0 --- 0<br> Export withdraws: 0 --- --- --- 0<br>testbgp BGP master start 07:10:59 Idle<br> Preference: 160<br> Input filter: ACCEPT<br> Output filter: (unnamed)<br> Routes: 0 imported, 0 exported, 0 preferred<br> Route change stats: received rejected filtered ignored accepted<br> Import updates: 0 0 0 0 0<br> Import withdraws: 0 0 --- 0 0<br> Export updates: 0 0 0 --- 0<br> Export withdraws: 0 --- --- --- 0<br> BGP state: Idle<br> Neighbor address: 10.1.2.2<br> Neighbor AS: 65003<br>bird><br></blockquote><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration-style:initial;text-decoration-color:initial"><br></div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration-style:initial;text-decoration-color:initial"> </div><blockquote class="gmail_quote" style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration-style:initial;text-decoration-color:initial;margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><b><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline"><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">IPSec VPN Tunnel<span> </span></span>Server 2 ( IP :- </span><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration-style:initial;text-decoration-color:initial;background-color:rgb(255,255,255);float:none;display:inline"><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">172.31.15.8</span>)</span></b><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration-style:initial;text-decoration-color:initial;background-color:rgb(255,255,255);float:none;display:inline"><br></span>[root@ip-172-31-15-8 ~]# cat /etc/ipsec.d/<a href="http://vtiipsecrouted.co">vtiipsecrouted.co</a><wbr>nf<br>conn routed-vpn<br> left=172.31.15.8<br> right=172.31.1.54<br> authby=secret<br> #leftsubnet=<a href="http://0.0.0.0/0" target="_blank" style="color:rgb(17,85,204)">0.0.0.0/0</a><br> #rightsubnet=<a href="http://0.0.0.0/0" target="_blank" style="color:rgb(17,85,204)">0.0.0.0/0</a><br> auto=add<br> # route-based VPN requires marking and an interface<br> mark=5/0xffffffff<br> vti-interface=vti01<br> # do not setup routing because we don't want to send<span> </span><a href="http://0.0.0.0/0" target="_blank" style="color:rgb(17,85,204)">0.0.0.0/0</a><span> </span>over the tunnel<br> vti-routing=no<br> # If you run a subnet with BGP (quagga) daemons over IPsec, you can configure the VTI interface<br> leftvti=<a href="http://10.0.1.1/24" target="_blank" style="color:rgb(17,85,204)">10.0.1.1/24</a><br>[root@ip-172-31-15-8 ~]#<span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration-style:initial;text-decoration-color:initial;background-color:rgb(255,255,255);float:none;display:inline"><br></span><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration-style:initial;text-decoration-color:initial;background-color:rgb(255,255,255);float:none;display:inline">[root@ip-172-31-15-8 ~]# ps aux | grep ipsec<br></span>root 6483 0.0 0.0 204880 7684 ? Ssl 07:36 0:00 /usr/libexec/ipsec/pluto --leak-detective --config /etc/ipsec.conf --nofork<span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration-style:initial;text-decoration-color:initial;background-color:rgb(255,255,255);float:none;display:inline"><br></span>[root@ip-172-31-15-8 ~]# ip a<br>1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1<br> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00<br> inet<span> </span><a href="http://127.0.0.1/8" target="_blank" style="color:rgb(17,85,204)">127.0.0.1/8</a><span> </span>scope host lo<br> valid_lft forever preferred_lft forever<br>2: eth0: <BROADCAST,MULTICAST,UP,LOWER_<wbr>UP> mtu 9001 qdisc mq state UP qlen 1000<br> link/ether 02:87:cf:47:b5:5e brd ff:ff:ff:ff:ff:ff<br> inet<span> </span><a href="http://172.31.15.8/20" target="_blank" style="color:rgb(17,85,204)">172.31.15.8/20</a><span> </span>brd 172.31.15.255 scope global dynamic eth0<br> valid_lft 3063sec preferred_lft 3063sec<br>3: ip_vti0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN qlen 1<br> link/ipip 0.0.0.0 brd 0.0.0.0<br>7: vti01@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP<wbr>> mtu 8981 qdisc noqueue state UNKNOWN qlen 1<br> <span> </span><b>link/ipip 172.31.15.8 peer 172.31.1.54<br></b> <span> </span><b>inet<span> </span><a href="http://10.0.1.1/24" target="_blank" style="color:rgb(17,85,204)">10.0.1.1/24</a></b><span> </span>scope global vti01<br> valid_lft forever preferred_lft forever<br>[root@ip-172-31-15-8 ~]#<br>[root@ip-172-31-15-8 ~]# ip xfrm policy<br>src<span> </span><a href="http://172.31.15.8/32" target="_blank" style="color:rgb(17,85,204)">172.31.15.8/32</a><span> </span>dst<span> </span><a href="http://172.31.1.54/32" target="_blank" style="color:rgb(17,85,204)">172.31.<wbr>1.54/32</a><br><span style="white-space:pre-wrap"> </span>dir out priority 2080 ptype main<br><span style="white-space:pre-wrap"> </span>mark 5/0xffffffff<br><span style="white-space:pre-wrap"> </span>tmpl src 172.31.15.8 dst 172.31.1.54<br><span style="white-space:pre-wrap"> </span>proto esp reqid 16393 mode tunnel<br>src<span> </span><a href="http://172.31.1.54/32" target="_blank" style="color:rgb(17,85,204)">172.31.1.54/32</a><span> </span>dst<span> </span><a href="http://172.31.15.8/32" target="_blank" style="color:rgb(17,85,204)">172.31.<wbr>15.8/32</a><br><span style="white-space:pre-wrap"> </span>dir fwd priority 2080 ptype main<br><span style="white-space:pre-wrap"> </span>mark 5/0xffffffff<br><span style="white-space:pre-wrap"> </span>tmpl src 172.31.1.54 dst 172.31.15.8<br><span style="white-space:pre-wrap"> </span>proto esp reqid 16393 mode tunnel<br>src<span> </span><a href="http://172.31.1.54/32" target="_blank" style="color:rgb(17,85,204)">172.31.1.54/32</a><span> </span>dst<span> </span><a href="http://172.31.15.8/32" target="_blank" style="color:rgb(17,85,204)">172.31.<wbr>15.8/32</a><br><span style="white-space:pre-wrap"> </span>dir in priority 2080 ptype main<br><span style="white-space:pre-wrap"> </span>mark 5/0xffffffff<br><span style="white-space:pre-wrap"> </span>tmpl src 172.31.1.54 dst 172.31.15.8<br><span style="white-space:pre-wrap"> </span>proto esp reqid 16393 mode tunnel<br><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">[root@ip-172-31-15-8 ~]#</span><br>[root@ip-172-31-15-8 ~]# ip route list<br>default via 172.31.0.1 dev eth0<br><a href="http://10.0.1.0/24" target="_blank" style="color:rgb(17,85,204)">10.0.1.0/24</a><span> </span>dev vti01 proto kernel scope link src 10.0.1.1<br><a href="http://172.31.0.0/20" target="_blank" style="color:rgb(17,85,204)">172.31.0.0/20</a><span> </span>dev eth0 proto kernel scope link src 172.31.15.8<br>[root@ip-172-31-15-8 ~]#<br><br>[root@ip-172-31-15-8 ~]# service bird status<br>Redirecting to /bin/systemctl status bird.service<br>● bird.service - BIRD Internet Routing Daemon<br> Loaded: loaded (/usr/lib/systemd/system/bird.<wbr>service; enabled; vendor preset: disabled)<br> Active: active (running) since Thu 2018-04-12 07:48:44 UTC; 18s ago<br> Process: 6659 ExecStart=/usr/sbin/bird (code=exited, status=0/SUCCESS)<br> Main PID: 6660 (bird)<br> CGroup: /system.slice/bird.service<br> └─6660 /usr/sbin/bird<br>Apr 12 07:48:44 ip-172-31-15-8.ap-southeast-1.<wbr>compute.internal systemd[1]: Starting BIRD Internet Routing Daemon...<br>Apr 12 07:48:44 ip-172-31-15-8.ap-southeast-1.<wbr>compute.internal systemd[1]: Started BIRD Internet Routing Daemon.<br>Apr 12 07:48:44 ip-172-31-15-8.ap-southeast-1.<wbr>compute.internal bird[6660]: Started<br>[root@ip-172-31-15-8 ~]# birdc<br>BIRD 1.6.4 ready.<br>bird> show status<br>BIRD 1.6.4<br>Router ID is 10.0.1.2<br>Current server time is 2018-04-12 07:49:13<br>Last reboot on 2018-04-12 07:48:43<br>Last reconfiguration on 2018-04-12 07:48:43<br>Daemon is up and running<br>bird> show interfaces<br>lo up (index=1)<br><span style="white-space:pre-wrap"> </span>MultiAccess AdminUp LinkUp Loopback Ignored MTU=65536<br><span style="white-space:pre-wrap"> </span><a href="http://127.0.0.1/8" target="_blank" style="color:rgb(17,85,204)">127.0.0.1/8</a><span> </span>(Primary, scope host)<br>eth0 up (index=2)<br><span style="white-space:pre-wrap"> </span>MultiAccess Broadcast Multicast AdminUp LinkUp MTU=9001<br><span style="white-space:pre-wrap"> </span><a href="http://172.31.15.8/20" target="_blank" style="color:rgb(17,85,204)">172.31.15.8/20</a><span> </span>(Primary, scope site)<br>ip_vti0 DOWN (index=3)<br><span style="white-space:pre-wrap"> </span>MultiAccess AdminDown LinkDown MTU=1480<br>vti01 up (index=7)<br><span style="white-space:pre-wrap"> </span>PtP Multicast AdminUp LinkUp MTU=8981<br><span style="white-space:pre-wrap"> </span><a href="http://10.0.1.1/24" target="_blank" style="color:rgb(17,85,204)">10.0.1.1/24</a><span> </span>(Primary, scope site)<br>bird> show protocols<br>name proto table state since info<br>kernel1 Kernel master up 07:48:43<br>device1 Device master up 07:48:43<br>testbgp BGP master start 07:48:43 Idle<br>bird> show protocols all<br>name proto table state since info<br>kernel1 Kernel master up 07:48:44<br> Preference: 10<br> Input filter: ACCEPT<br> Output filter: ACCEPT<br> Routes: 1 imported, 0 exported, 1 preferred<br> Route change stats: received rejected filtered ignored accepted<br> Import updates: 1 0 0 0 1<br> Import withdraws: 0 0 --- 0 0<br> Export updates: 1 1 0 --- 0<br> Export withdraws: 0 --- --- --- 0<br>device1 Device master up 07:48:44<br> Preference: 240<br> Input filter: ACCEPT<br> Output filter: REJECT<br> Routes: 0 imported, 0 exported, 0 preferred<br> Route change stats: received rejected filtered ignored accepted<br> Import updates: 0 0 0 0 0<br> Import withdraws: 0 0 --- 0 0<br> Export updates: 0 0 0 --- 0<br> Export withdraws: 0 --- --- --- 0<br>testbgp BGP master start 07:48:44 Idle<br> Preference: 160<br> Input filter: ACCEPT<br> Output filter: (unnamed)<br> Routes: 0 imported, 0 exported, 0 preferred<br> Route change stats: received rejected filtered ignored accepted<br> Import updates: 0 0 0 0 0<br> Import withdraws: 0 0 --- 0 0<br> Export updates: 0 0 0 --- 0<br> Export withdraws: 0 --- --- --- 0<br> BGP state: Idle<br> Neighbor address: 10.1.2.2<br> Neighbor AS: 65003<br>bird><br>[root@ip-172-31-15-8 ~]#</blockquote><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration-style:initial;text-decoration-color:initial"><br></div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration-style:initial;text-decoration-color:initial">Please let me know if the above configurations are correct and is the right approach to setup redundant route based VPN using VTI. I have couple of followup questions like how do i test failover between the two IPSec VPN servers using VTI and how do i test BIRD Daemon using BGP as i have configured BIRD on both the servers for the network architecture shown in <a href="https://i.imgur.com/dLFovre.png" target="_blank" style="color:rgb(17,85,204)">https://i.imgur.com/dLFovre<wbr>.png</a></div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration-style:initial;text-decoration-color:initial"><br></div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration-style:initial;text-decoration-color:initial"><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">Thanks in Advance and your help will be really appreciated. </span>I look forward to hearing from you.</div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration-style:initial;text-decoration-color:initial"><br></div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration-style:initial;text-decoration-color:initial">Best Regards,</div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration-style:initial;text-decoration-color:initial"><br></div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration-style:initial;text-decoration-color:initial">Kaushal</div><br></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Apr 17, 2018 at 12:40 AM, Andrii Petrenko <span dir="ltr"><<a href="mailto:aplsms@gmail.com" target="_blank">aplsms@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word;line-break:after-white-space"><a href="https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN" target="_blank">https://wiki.strongswan.org/<wbr>projects/strongswan/wiki/<wbr>RouteBasedVPN</a><div><br><div>
<div dir="auto" style="color:rgb(0,0,0);letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;word-wrap:break-word;line-break:after-white-space"><div style="color:rgb(0,0,0);letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;word-wrap:break-word;line-break:after-white-space">---<br>Andrii Petrenko<br><a href="mailto:aplsms@gmail.com" target="_blank">aplsms@gmail.com</a></div></div>
</div><div><div class="h5">
<div><br><blockquote type="cite"><div>On Apr 16, 2018, at 11:26, Kaushal Shriyan <<a href="mailto:kaushalshriyan@gmail.com" target="_blank">kaushalshriyan@gmail.com</a>> wrote:</div><br class="m_-7063231171246217143Apple-interchange-newline"><div><div dir="ltr">Hi,<div><br></div><div>I will appreciate if anyone can point me to a doc to setup Route based VPN in Linux using VTI</div><div>Thanks in Advance. </div><div><br></div><div>I look forward to hearing from you.</div><div><br></div><div>Best Regards,</div><div><br></div><div>Kaushal</div></div>
</div></blockquote></div><br></div></div></div></div></blockquote></div><br></div>